A home network serves a wireless service to visiting User Equipment (UEs) affiliated with visited networks and authorizes the wireless service for home UEs that are visiting the visited networks. A gateway transfers home context to a distributed ledger and receives visited context from the distributed ledger. The gateway transfers the visited context to a controller. The controller exchanges authorization data with the visited networks based on the visited context and the home context. The controller authorizes the wireless data service for the home UEs and the visiting UEs responsive to the exchange of the authorization data. The controller transfers session signaling to wireless access nodes responsive to the authorization of the wireless data service for the visiting UEs. The controller transfers authorization signaling to the visited networks responsive to the authorization of the wireless service for the home UEs.

A cryptographic method is provided. The cryptographic method comprises an initialisation phase for determining a provisional generator point G′ equal to a first product G′=[d′]G, where d′ is a first random scalar forming a secret key of N bits and G is a generator point of an elliptical curve, and determining a provisional key Q′ equal to a second product Q′=[d′]Q, where Q is a point of the elliptical curve forming a public key. During an encryption phase a second random scalar forming a second secret key k of M bits, with M<N; a public key P is calculated such that P=[k]G′; a coordinate of an intermediate point SP1, of the elliptical curve, equal to a fourth product SP1=[k]Q′; at least one key by application of a derivation function (F1); and data (T1) are encrypted based on said at least one key.

A service management system communicates via wide area network with gateway devices located at respective user premises. The service management system remotely manages delivery of application services, which can be voice controlled, by a gateway, e.g. by selectively activating/deactivating service logic modules in the gateway. The service management system also may selectively provide secure communications and exchange of information among gateway devices and among associated endpoint devices. An exemplary service management system includes a router connected to the network and one or more computer platforms, for implementing management functions. Examples of the functions include a connection manager for controlling system communications with the gateway devices, an authentication manager for authenticating each gateway device and controlling the connection manager and a subscription manager for managing applications services and/or features offered by the gateway devices. A service manager, controlled by the subscription manager, distributes service specific configuration data to authenticated gateway devices.

A service management system communicates via wide area network with gateway devices located at respective user premises. The service management system remotely manages delivery of application services, which can be voice controlled, by a gateway, e.g. by selectively activating/deactivating service logic modules in the gateway. The service management system also may selectively provide secure communications and exchange of information among gateway devices and among associated endpoint devices. An exemplary service management system includes a router connected to the network and one or more computer platforms, for implementing management functions. Examples of the functions include a connection manager for controlling system communications with the gateway devices, an authentication manager for authenticating each gateway device and controlling the connection manager and a subscription manager for managing applications services and/or features offered by the gateway devices. A service manager, controlled by the subscription manager, distributes service specific configuration data to authenticated gateway devices.

Technologies for systems, methods and computer-readable storage media for reducing the time to complete authentication during inter-technology handovers by reusing security context between 5G and Wi-Fi. Assuming, that the administrative domain for Wi-Fi and 5G match (and belongs to an enterprise for instance), using an already established security context in one technology to do fast authentication in the other technology during handover. Specifically, if UE is on Wi-Fi and handing over to 5G, use its Wi-Fi security context to do fast security setup in 5G, which includes a corresponding method for use when the UE goes from 5G to Wi-Fi.

Technologies for systems, methods and computer-readable storage media for reducing the time to complete authentication during inter-technology handovers by reusing security context between 5G and Wi-Fi. Assuming, that the administrative domain for Wi-Fi and 5G match (and belongs to an enterprise for instance), using an already established security context in one technology to do fast authentication in the other technology during handover. Specifically, if UE is on Wi-Fi and handing over to 5G, use its Wi-Fi security context to do fast security setup in 5G, which includes a corresponding method for use when the UE goes from 5G to Wi-Fi.

Presented herein are techniques to facilitate secure communications with an Application Function (AF) for a client device that does not support Authentication and Key Management for Applications (AKMA) functionality. In one example, a method includes obtaining, by a user plane function (UPF), a first uplink data packet from a client device, wherein the first uplink data packet is to be communicated to an application; determining, by the UPF based on the first uplink data packet, whether the client device supports AKMA functionality; based on determining that the client device does not support the AKMA functionality, buffering at least the first uplink data packet by the user plane function and determining whether the application supports the AKMA functionality; and based on determining that the application supports the AKMA functionality, performing AKMA functionality by the UPF for the client device for data communications between the client device and the application.

Presented herein are techniques to facilitate secure communications with an Application Function (AF) for a client device that does not support Authentication and Key Management for Applications (AKMA) functionality. In one example, a method includes obtaining, by a user plane function (UPF), a first uplink data packet from a client device, wherein the first uplink data packet is to be communicated to an application; determining, by the UPF based on the first uplink data packet, whether the client device supports AKMA functionality; based on determining that the client device does not support the AKMA functionality, buffering at least the first uplink data packet by the user plane function and determining whether the application supports the AKMA functionality; and based on determining that the application supports the AKMA functionality, performing AKMA functionality by the UPF for the client device for data communications between the client device and the application.

In one embodiment, a method for secure virtualized wireless base station orchestration comprises: obtaining a node certificate and private key from a global CA defining a PKI signing certificate/private key; obtaining a sub CA certificate/private key from either an edge cloud node cluster or the global CA, using a PKI request signed using the PKI signing certificate/private key; establishing an orchestration access IPsec tunnel to a cloud comprising edge cloud orchestration functions; utilizing the orchestration functions to deploy on the node virtualized entities comprising VNFs of a wireless base station; obtaining at least one VNF certificate and private key for the VNFs from the global CA using a PKI request signed using the global certificate/private key; utilizing the VNF certificate/private key, establishing IPsec tunnels between the VNFs and a wireless network services operator network and/or to an OAM secure gateway for a DMS.

In one embodiment, a method for secure virtualized wireless base station orchestration comprises: obtaining a node certificate and private key from a global CA defining a PKI signing certificate/private key; obtaining a sub CA certificate/private key from either an edge cloud node cluster or the global CA, using a PKI request signed using the PKI signing certificate/private key; establishing an orchestration access IPsec tunnel to a cloud comprising edge cloud orchestration functions; utilizing the orchestration functions to deploy on the node virtualized entities comprising VNFs of a wireless base station; obtaining at least one VNF certificate and private key for the VNFs from the global CA using a PKI request signed using the global certificate/private key; utilizing the VNF certificate/private key, establishing IPsec tunnels between the VNFs and a wireless network services operator network and/or to an OAM secure gateway for a DMS.